[wp-trac] [WordPress Trac] #56140: Need to use esc_url escaping function instead of esc_attr.
WordPress Trac
noreply at wordpress.org
Tue Jul 5 12:21:31 UTC 2022
#56140: Need to use esc_url escaping function instead of esc_attr.
-----------------------------------+------------------------------
Reporter: vishitshah | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version:
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion | Focuses:
-----------------------------------+------------------------------
Comment (by SergeyBiryukov):
Replying to [comment:1 audrasjb]:
> We only need to make sure that it is correctly escaped for the `value`
attribute, don't we?
Yes, I think `esc_attr()` is correct here. It's not unlikely that some
might want to put "Website: none", "in progress", or something else that's
not a valid URL in their profile.
Requiring a valid URL and sanitizing it as such, with appropriate error
messages, could be a separate enhancement.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56140#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list